I want to setup up a Keycloak SSO for, say, five apps:  only one of which is required (by U.S. State Law) to become logged out upon ten inactive minutes timeout. 

How can I achieve this in Keycloak?

So for example:  user signs in to Keycloak and begins working in APP1 then switches to APP2 and stays there for more than ten minutes.  User re-visits APP1 which has been idle for more than ten minutes.  By law he needs to re-authenticate to APP1 even though he remains already authenticated in Keycloak.  How to force re-authentication for at least APP1?

-Richard